North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Port 139 scans

  • From: Ben Browning
  • Date: Thu Sep 28 13:55:36 2000

At 09:54 AM 9/28/00 -0700, [email protected] wrote:
By the way, we identified a couple instances of the virus that Ken Lindahl
mentioned in his earlier post.
Indeed, nearly all of my woes have disappeared with this information. Thanks Ken!

Additionally, I set a trap for it yesterday. I opened a Windows box up to all internet traffic, made it nice and insecure (let me tell ya, that took a lot of work ;), and dialed it up. Then every half hour or so I checked for it. After an hour, I had a bug in a bottle.

Busting out the handy hex editor, I scrolled down, and down, and down, until what should appear before my burning eyes, but Lo! An IP address...

...which points to an open mail relay somewhere in China ( which then is used to send the info(likely the IP addy of the infected box) to the local user nongmin_cn . If anyone else goes through this process, I'd be interested in knowing about it.

I already sent off abuse complaints to the upstreams for that IP. Hope they can read English :)

Ben Browning <[email protected]> Network Operations
Tel (206) 443-8000 Fax (206) 443-0500